Part 1: Basic definitionsDefinitions are stored in a XML format in the me7xmls directory.
There is also a file called "mapdef.xsd" which defines the schema according to which the XML files are created.
When creating definitions or editing existing ones, I strongly recommend you use an editor which supports schema and auto completing, as it will make your life a lot easier.
Let's take a look at locating the 16 bit KRKTE.
The first thing, is to find the KRKTE access in IDA Pro. This is simple - pick a binary you have a DAMOS for, and then go from there.
I will use the 551K RS4 binary for this example.
In this binary KRKTE is at 0x1C9DC. There are three places which access this value in the binary.
So we must choose one of them and concentrate on it. It is best to look for a spot that has unique code around it.
Like this one:
Time to create the initial XML:
<?xml version="1.0" encoding="UTF-8"?>
<map xmlns="http://prj-tuning.com/mapdef" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://prj-tuning.com/mapdef mapdef.xsd">
</map>The first thing to add is the "ID". The "ID" is a unique identifier, which identifies the map.
There can be multiple XML files/definitions for the same ID. It is a good idea to name the file the same as the ID, so in this case KRKTE.xml.
Let's add the ID:
<?xml version="1.0" encoding="UTF-8"?>
<map xmlns="http://prj-tuning.com/mapdef" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://prj-tuning.com/mapdef mapdef.xsd">
<id>KRKTE</id>
</map>Now comes the most powerful feature of the map locator tool - the pattern.
The pattern is a way to locate a matching area in a binary. So we will have to create a pattern.
The pattern consists of the following building blocks:
HEX - bytes that should be matched exactly
XX - a byte that should be skipped.
XX<number> - means that zero to <number> bytes should be skipped.
Every time the pattern is matched, the offset that is returned is the address where the first character in the pattern matched.
If you would like to move the offset that is returned to an arbitrary place in the pattern, you can prefix any of the members of the pattern with MM.
The prefixed member will become the new reported offset.
For example F2 XX MMF2 XX.
Let's build a pattern for our location. It is a simple pattern, and comes out as follows:
F2 F4 XX XX 7C 44 E0 05 70 55.
We mask out the actual address from the pattern, because it will be different between binaries.
Let's add this to the xml:
<?xml version="1.0" encoding="UTF-8"?>
<map xmlns="http://prj-tuning.com/mapdef" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://prj-tuning.com/mapdef mapdef.xsd">
<id>KRKTE</id>
<pattern>F2 F4 XX XX 7C 44 E0 05 70 55</pattern>
</map>Now the main building blocks have been added. It will find the pattern at an offset, however this is not terribly useful yet.
The way the C167 addresses memory is via a DPP and offset. So we have to specify where from the pattern location the DPP is located and where the offset is located.
In this case our DPP - 0x207h is located two bytes before the pattern start. If we omit this, the default DPP of 0x204h would be used.
Our offset - 0x09DC is located two bytes after the pattern start.
The total address is calculated as: dpp * 0x4000 - 0x800000 + offset. The subtraction is because of where the EEPROM is loaded.
Let's add this information to the XML:
<?xml version="1.0" encoding="UTF-8"?>
<map xmlns="http://prj-tuning.com/mapdef" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://prj-tuning.com/mapdef mapdef.xsd">
<id>KRKTE</id>
<pattern>F2 F4 XX XX 7C 44 E0 05 70 55</pattern>
<address>
<offset>2</offset>
<dppOffset>-2</dppOffset>
</address>
</map>Alternatively a marker could be specified at F2 F4 MMXX XX... and the offset omitted, and DPP offset set to -4.
Now we just need to add the data to convert the located value to a legible form. This is done by the conversion element.
<?xml version="1.0" encoding="UTF-8"?>
<map xmlns="http://prj-tuning.com/mapdef" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://prj-tuning.com/mapdef mapdef.xsd">
<id>KRKTE</id>
<pattern>F2 F4 XX XX 7C 44 E0 05 70 55</pattern>
<address>
<offset>2</offset>
<dppOffset>-2</dppOffset>
</address>
<conversion>
<factor>0.000167</factor>
<width>2</width>
<endianness>LoHi</endianness>
</conversion>
</map>The factor is specified - the default factor is 1.0.
The offset is not needed - the default offset is 0.0, which suits us in this case.
The default width is 1 byte and the default endianness is HiLo. In this case the value is 2 bytes wide and bigendian, so we specify the endianness as LoHi.
And that's it - this XML is enough to detect KRKTE in almost any ME7 file, where it is a 16 bit value.
For 8 bit KRKTE's a slight modification is required, an example can be found in KRKTE_8.xml.
